Mailing List Archive: Gentoo: Security

news update about the compromise

Index | Next | Previous | View Threaded

lcars at gentoo

Aug 20, 2007, 1:22 PM

Post #1 of 4 (773 views)
Permalink

news update about the compromise

Hi folks,

robbat2 is finish up analysis (robbat2 can you please ping me with your
status) of the recent compromise and we should release a news update fairly
soon, the press is starting covering the story as "OMG critical servers of
Gentoo hare pwn3d" which is really not the case.

So can I ask you to prepare a news update and send it to me, robbat2 and the
infra/security team for review? (still waiting for robbat2 final analysis
results).

Anyway, here are the facts:

a) there's no evidence of other than local account privileges being accessed

b) those privileges apparently have not been used at all, it seems that only
some script kiddies tried and failed

c) the server is not critical to gentoo and it provided only informational
services, it's in no way connected to active development, package creation or
portage mirrors

d) because of c) we have the luxury of *treating* this as a full compromise
and take proper mitigation steps which consistend in revoking the few
credentials that were on it (not sufficient anyway to gain access to other
boxes even if cracked.

So yes, there was a vuln, it was embarassing (and it will prompt better code
review), but no damange has been (apparently) perpetrated...and if so it's
anyway not affecting critical operations and well within containment.

Now I have no hope that the press will pick the update but the least we can
do is publish a follow up on the site.

PR, can you draft something and send it for review?

Robbat2, can you confirm my analysis?

Thanks to all

--
Andrea Barisani <lcars [at] gentoo> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security [at] gentoo mailing list

rferrer at xyon-servers

Aug 20, 2007, 1:44 PM

Post #2 of 4 (713 views)
Permalink

Re: news update about the compromise [In reply to]

Buenas...

Actualmente estoy de vacaciones. No estaré disponible hasta el 21 de agosto.

Para cualquier consulta dirígete a cualquiera de los siguientes departamentos:

info [at] xyon-servers (información general. Normalmente consultas para la contratación de nuevos servicios)

altas [at] xyon-servers (Consultas sobre reservas solicitadas, renovaciones, pagos, modificaciones en los datos, etc.)

tecnico [at] xyon-servers (para cualquier consulta técnica sobre el servicio que tengas contratado)

Un saludo.

Ricardo Ferrer Muñoz
rferrer [at] xyon-servers
XYON-SERVERS, S.L.U.

--
gentoo-security [at] gentoo mailing list

rferrer at xyon-servers

Aug 20, 2007, 2:04 PM

Post #3 of 4 (719 views)
Permalink

Re: Re: news update about the compromise [In reply to]

lcars at gentoo

Aug 22, 2007, 11:34 AM

Post #4 of 4 (717 views)
Permalink

Re: [gentoo-infrastructure] news update about the compromise [In reply to]

On Mon, Aug 20, 2007 at 08:22:02PM +0000, Andrea Barisani wrote:

Folks I had not a single reply about this. I cannot avoid to stress that the
more we wait the worse it gets image wise.

Robbat2 can you provide a status update?

Bye and Thanks to all

>
> Hi folks,
>
> robbat2 is finish up analysis (robbat2 can you please ping me with your
> status) of the recent compromise and we should release a news update fairly
> soon, the press is starting covering the story as "OMG critical servers of
> Gentoo hare pwn3d" which is really not the case.
>
> So can I ask you to prepare a news update and send it to me, robbat2 and the
> infra/security team for review? (still waiting for robbat2 final analysis
> results).
>
> Anyway, here are the facts:
>
> a) there's no evidence of other than local account privileges being accessed
>
> b) those privileges apparently have not been used at all, it seems that only
> some script kiddies tried and failed
>
> c) the server is not critical to gentoo and it provided only informational
> services, it's in no way connected to active development, package creation or
> portage mirrors
>
> d) because of c) we have the luxury of *treating* this as a full compromise
> and take proper mitigation steps which consistend in revoking the few
> credentials that were on it (not sufficient anyway to gain access to other
> boxes even if cracked.
>
>
> So yes, there was a vuln, it was embarassing (and it will prompt better code
> review), but no damange has been (apparently) perpetrated...and if so it's
> anyway not affecting critical operations and well within containment.
>
> Now I have no hope that the press will pick the update but the least we can
> do is publish a follow up on the site.
>
> PR, can you draft something and send it for review?
>
> Robbat2, can you confirm my analysis?
>
> Thanks to all
>
> --
> Andrea Barisani <lcars [at] gentoo> .*.
> Gentoo Linux Infrastructure Developer V
> ( )
> PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
> 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
> "Pluralitas non est ponenda sine necessitate"
> --
> gentoo-infrastructure [at] gentoo mailing list
>

--
Andrea Barisani <lcars [at] gentoo> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads